Insurance coverage for data breach by 'malicious insider' will depend on policy wording, says expert

Out-Law Analysis | 13 Apr 2016 | 3:28 pm | 4 min. read

FOCUS: In the absence of specific wording, insurers may be able to reject claims arising out of deliberate data breaches by disaffected employees.

With most data now stored electronically, businesses are facing new challenges in relation to data retention and keeping it secure and safe. Bespoke cyber insurance policies and, increasingly, data protection coverage as part of a general commercial liability policy will generally cover both first and third party liabilities in the event that anything happens to that data – but how will these policies respond in the face of deliberate or criminal behaviour by an employee who decides to release data to harm either colleagues or the business?

As insurance contracts are supposed to cover fortuities and not deliberate actions, insurers may be able to reject claims arising out of malicious acts by employees. It is important, therefore, for both insurers and the insured to ensure that policy wordings reflect the regulatory framework surrounding data breaches, as well as the specific types of claim that are likely to arise as a result.

The 'deliberate act' exclusion

Regardless of the type of insurance cover, most policies will contain a specific exclusion for deliberate, intentional or criminal acts by the insured. Whether this will also apply in cases involving a malicious insider will generally depend on the wording of the exclusion itself.

The clause may state that the exclusion is intended only to apply to the actions of directors or senior managers of the insured, in which case a simple factual inquiry will be required to establish the level of seniority of the malicious insider. If the wording does not specify whose deliberate acts are intended to be excluded the position becomes more complicated, as it will be necessary to consider whether the employee's acts can be attributed to the insured business.

The law of attribution was most recently considered by the courts in 2015. In the Jetiva v Bilta case, the Supreme Court held that the acts of fraudulent directors could not be attributed to the company in circumstances where the directors had caused the company to be involved in the fraud, and the company was the intended victim of the fraud.

Before this, in the KR v RSA case in 2006, the Court of Appeal considered attribution in the context of an employer's liability policy. The issue in this case was whether sexual abuse by care home managers could be attributed to the care home itself for the purpose of determining whether a 'deliberate act' exclusion in the care home's policy applied. The court found that only the acts of the senior managers, but not those lower down the company hierarchy, could be attributed by the insured - which meant that the insurers were successful in excluding liability for damage or injury caused by the deliberate acts of the chief executive and the managerial employees.

The rationale in this case is likely to be applied to cases where data is deliberately leaked by employees of a company. The more senior the employee, the greater the likelihood that that employee's deliberate actions will fall within the deliberate acts exclusions commonly found in liability policies.

Possible types of claim

Liability for data breach gives rise to specific types of claims under the data protection regime, as well as liability in tort for misuse of private data.

First party losses

A data breach will undoubtedly cause significant first party losses to the insured business. These will include the costs incurred in notifying each affected data subject of the breach and the cost of legal and PR fees to manage the business' response, as well as the cost of notifying any relevant regulator. Many cyber policies are specifically designed to cover these types of first party losses.

Third party liabilities

The affected data subjects are likely to have claims for compensation under section 13 of the 1998 Data Protection Act (DPA), which will allow them to recover damages for distress. Following a Court of Appeal decision in 2015, they will not need to establish monetary loss in order to recover compensation for mere distress – although the Supreme Court has granted permission for the company involved in this case to appeal this aspect of the decision. Although the damages payable for mere distress may be modest, the overall liability could be significant in the context of group litigation where multiple data subjects have been affected by the breach.

Victims of a data breach will also have potential claims in damages for misuse of their private information on the basis that:

  • they had a reasonable expectation of privacy in respect of the information at issue; and
  • the wrongdoer handled that information in a manner which was intrusive of their privacy.

Bespoke cyber insurance policies will tend to include either a widely drawn insuring clause, which will cover breach of any data protection law and privacy breaches; or a narrower clause restricting cover to claims for compensation under section 13 of the DPA.

Vicarious liability

Where there is a claim in damages for misuse of private information, there will be little difficulty in concluding that the employer is vicariously liable for the actions of its employee. It is settled law that an employer will be held to be liable in this way for the criminal acts of its employees.

However, the position under the DPA is less clear. The DPA is a statutory scheme which envisages direct liability in circumstances where the data controller - that is, the employer - has failed to take appropriate technical and organisations measures against unauthorised or unlawful processing of personal data.

It is, at best, unclear whether the employer would be held to be vicariously liable under the DPA for data breaches in these circumstances.

Manoj Vaghela and Rebecca Ransome-Lewis are insurance law experts at Pinsent Masons, the law firm behind